@cloud-copilot/iam-simulate 0.1.99 → 0.1.101
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/analysis/analyzeResults.d.ts +37 -0
- package/dist/cjs/analysis/analyzeResults.d.ts.map +1 -0
- package/dist/cjs/analysis/analyzeResults.js +95 -0
- package/dist/cjs/analysis/analyzeResults.js.map +1 -0
- package/dist/cjs/index.d.ts +2 -1
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +3 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/esm/analysis/analyzeResults.d.ts +37 -0
- package/dist/esm/analysis/analyzeResults.d.ts.map +1 -0
- package/dist/esm/analysis/analyzeResults.js +91 -0
- package/dist/esm/analysis/analyzeResults.js.map +1 -0
- package/dist/esm/index.d.ts +2 -1
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -0
- package/dist/esm/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { RequestAnalysis } from '../evaluate.js';
|
|
2
|
+
/**
|
|
3
|
+
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
4
|
+
*
|
|
5
|
+
* @param requestAnalysis the request analysis
|
|
6
|
+
* @returns true if the request was allowed by identity policies, false otherwise
|
|
7
|
+
*/
|
|
8
|
+
export declare function isAllowedByIdentityPolicies(requestAnalysis: RequestAnalysis): boolean;
|
|
9
|
+
export type DenialPolicyType = 'identity' | 'resource' | 'scp' | 'rcp' | 'permissionBoundary' | 'endpointPolicy';
|
|
10
|
+
export type RequestDenial = {
|
|
11
|
+
policyType: DenialPolicyType;
|
|
12
|
+
identifier?: string;
|
|
13
|
+
denialType: 'Implicit';
|
|
14
|
+
} | {
|
|
15
|
+
policyType: DenialPolicyType;
|
|
16
|
+
policyIdentifier?: string;
|
|
17
|
+
statementId: string;
|
|
18
|
+
denialType: 'Explicit';
|
|
19
|
+
};
|
|
20
|
+
/**
|
|
21
|
+
* Find the policy statements that caused a request to be denied.
|
|
22
|
+
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
23
|
+
*
|
|
24
|
+
* For an implicit denial, it returns:
|
|
25
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
26
|
+
* - the identifier, if applicable for an Organizational Unit identifier for SCPs.
|
|
27
|
+
*
|
|
28
|
+
* For an explicit denial, it returns:
|
|
29
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
30
|
+
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
31
|
+
* - the statement ID (or index) of the denying statement.
|
|
32
|
+
*
|
|
33
|
+
* @param requestAnalysis the request analysis
|
|
34
|
+
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
35
|
+
*/
|
|
36
|
+
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
37
|
+
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,eAAe,EAGhB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GACxB,UAAU,GACV,UAAU,GACV,KAAK,GACL,KAAK,GACL,oBAAoB,GACpB,gBAAgB,CAAA;AAEpB,MAAM,MAAM,aAAa,GACrB;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAiBlF"}
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.isAllowedByIdentityPolicies = isAllowedByIdentityPolicies;
|
|
4
|
+
exports.getDenialReasons = getDenialReasons;
|
|
5
|
+
/**
|
|
6
|
+
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
7
|
+
*
|
|
8
|
+
* @param requestAnalysis the request analysis
|
|
9
|
+
* @returns true if the request was allowed by identity policies, false otherwise
|
|
10
|
+
*/
|
|
11
|
+
function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
12
|
+
const identityAnalysis = requestAnalysis.identityAnalysis;
|
|
13
|
+
if (!identityAnalysis) {
|
|
14
|
+
return false;
|
|
15
|
+
}
|
|
16
|
+
return identityAnalysis.result === 'Allowed';
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Find the policy statements that caused a request to be denied.
|
|
20
|
+
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
21
|
+
*
|
|
22
|
+
* For an implicit denial, it returns:
|
|
23
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
24
|
+
* - the identifier, if applicable for an Organizational Unit identifier for SCPs.
|
|
25
|
+
*
|
|
26
|
+
* For an explicit denial, it returns:
|
|
27
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
28
|
+
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
29
|
+
* - the statement ID (or index) of the denying statement.
|
|
30
|
+
*
|
|
31
|
+
* @param requestAnalysis the request analysis
|
|
32
|
+
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
33
|
+
*/
|
|
34
|
+
function getDenialReasons(requestAnalysis) {
|
|
35
|
+
const denials = [];
|
|
36
|
+
const overallResult = requestAnalysis.result;
|
|
37
|
+
addSimplePolicyDenials(requestAnalysis.identityAnalysis, 'identity', overallResult, denials);
|
|
38
|
+
addSimplePolicyDenials(requestAnalysis.resourceAnalysis, 'resource', overallResult, denials);
|
|
39
|
+
addOuPolicyDenials(requestAnalysis.scpAnalysis, 'scp', overallResult, denials);
|
|
40
|
+
addOuPolicyDenials(requestAnalysis.rcpAnalysis, 'rcp', overallResult, denials);
|
|
41
|
+
addSimplePolicyDenials(requestAnalysis.permissionBoundaryAnalysis, 'permissionBoundary', overallResult, denials);
|
|
42
|
+
addSimplePolicyDenials(requestAnalysis.endpointAnalysis, 'endpointPolicy', overallResult, denials);
|
|
43
|
+
return denials;
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Helper for identity-style policies (identity, resource, permissionBoundary, endpoint).
|
|
47
|
+
* Adds denial reasons from a simple policy analysis.
|
|
48
|
+
*/
|
|
49
|
+
function addSimplePolicyDenials(analysis, policyType, overallResult, denials) {
|
|
50
|
+
if (!analysis)
|
|
51
|
+
return;
|
|
52
|
+
if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
|
|
53
|
+
denials.push({ policyType, denialType: 'Implicit' });
|
|
54
|
+
}
|
|
55
|
+
else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
|
|
56
|
+
for (const stmt of analysis.denyStatements) {
|
|
57
|
+
denials.push({
|
|
58
|
+
policyType,
|
|
59
|
+
policyIdentifier: stmt.policyId,
|
|
60
|
+
statementId: stmt.statement.sid() || stmt.statement.index().toString(),
|
|
61
|
+
denialType: 'Explicit'
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Helper for OU-based policies (scp, rcp).
|
|
68
|
+
* Adds denial reasons from an organizational policy analysis.
|
|
69
|
+
*/
|
|
70
|
+
function addOuPolicyDenials(analysis, policyType, overallResult, denials) {
|
|
71
|
+
if (!analysis)
|
|
72
|
+
return;
|
|
73
|
+
if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
|
|
74
|
+
for (const ou of analysis.ouAnalysis) {
|
|
75
|
+
if (ou.result === 'ImplicitlyDenied') {
|
|
76
|
+
denials.push({ policyType, identifier: ou.orgIdentifier, denialType: 'Implicit' });
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
|
|
81
|
+
for (const ou of analysis.ouAnalysis) {
|
|
82
|
+
if (ou.result === 'ExplicitlyDenied') {
|
|
83
|
+
for (const stmt of ou.denyStatements) {
|
|
84
|
+
denials.push({
|
|
85
|
+
policyType,
|
|
86
|
+
policyIdentifier: stmt.policyId,
|
|
87
|
+
statementId: stmt.statement.sid() || stmt.statement.index().toString(),
|
|
88
|
+
denialType: 'Explicit'
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":";;AAeA,kEAOC;AAuCD,4CAiBC;AArED;;;;;GAKG;AACH,SAAgB,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAuBD;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAE5C,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,oBAAoB,EACpB,aAAa,EACb,OAAO,CACR,CAAA;IACD,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAElG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;IACtD,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;gBACtE,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;YACpF,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;wBACtE,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
|
+
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
2
3
|
export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
3
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
4
5
|
export type { SimulationMode } from './core_engine/CoreSimulatorEngine.js';
|
|
5
|
-
export type { EvaluationResult, IgnoredCondition, IgnoredConditions } from './evaluate.js';
|
|
6
|
+
export type { EvaluationResult, IgnoredCondition, IgnoredConditions, RequestAnalysis } from './evaluate.js';
|
|
6
7
|
export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPrincipalMatch, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
|
|
7
8
|
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
8
9
|
export type { Simulation, SimulationIdentityPolicy, SimulationOrgPolicies } from './simulation_engine/simulation.js';
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,yCAAyC,CAAA;AACjG,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = void 0;
|
|
3
|
+
exports.isWildcardOnlyAction = exports.runUnsafeSimulation = exports.runSimulation = exports.allowedContextKeysForRequest = exports.findContextKeys = exports.isConditionKeyArray = exports.typeForContextKey = exports.getDenialReasons = void 0;
|
|
4
|
+
var analyzeResults_js_1 = require("./analysis/analyzeResults.js");
|
|
5
|
+
Object.defineProperty(exports, "getDenialReasons", { enumerable: true, get: function () { return analyzeResults_js_1.getDenialReasons; } });
|
|
4
6
|
var contextKeys_js_1 = require("./context_keys/contextKeys.js");
|
|
5
7
|
Object.defineProperty(exports, "typeForContextKey", { enumerable: true, get: function () { return contextKeys_js_1.typeForContextKey; } });
|
|
6
8
|
var contextKeyTypes_js_1 = require("./context_keys/contextKeyTypes.js");
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAAA,kEAIqC;AAHnC,qHAAA,gBAAgB,OAAA;AAIlB,gEAAiE;AAAxD,mHAAA,iBAAiB,OAAA;AAC1B,wEAI0C;AAFxC,yHAAA,mBAAmB,OAAA;AAGrB,wEAAmE;AAA1D,qHAAA,eAAe,OAAA;AAiBxB,qEAAiF;AAAxE,8HAAA,4BAA4B,OAAA;AAMrC,+EAAuE;AAA9D,oHAAA,aAAa,OAAA;AAGtB,2FAAmF;AAA1E,gIAAA,mBAAmB,OAAA;AAC5B,qCAAgD;AAAvC,+GAAA,oBAAoB,OAAA"}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { RequestAnalysis } from '../evaluate.js';
|
|
2
|
+
/**
|
|
3
|
+
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
4
|
+
*
|
|
5
|
+
* @param requestAnalysis the request analysis
|
|
6
|
+
* @returns true if the request was allowed by identity policies, false otherwise
|
|
7
|
+
*/
|
|
8
|
+
export declare function isAllowedByIdentityPolicies(requestAnalysis: RequestAnalysis): boolean;
|
|
9
|
+
export type DenialPolicyType = 'identity' | 'resource' | 'scp' | 'rcp' | 'permissionBoundary' | 'endpointPolicy';
|
|
10
|
+
export type RequestDenial = {
|
|
11
|
+
policyType: DenialPolicyType;
|
|
12
|
+
identifier?: string;
|
|
13
|
+
denialType: 'Implicit';
|
|
14
|
+
} | {
|
|
15
|
+
policyType: DenialPolicyType;
|
|
16
|
+
policyIdentifier?: string;
|
|
17
|
+
statementId: string;
|
|
18
|
+
denialType: 'Explicit';
|
|
19
|
+
};
|
|
20
|
+
/**
|
|
21
|
+
* Find the policy statements that caused a request to be denied.
|
|
22
|
+
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
23
|
+
*
|
|
24
|
+
* For an implicit denial, it returns:
|
|
25
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
26
|
+
* - the identifier, if applicable for an Organizational Unit identifier for SCPs.
|
|
27
|
+
*
|
|
28
|
+
* For an explicit denial, it returns:
|
|
29
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
30
|
+
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
31
|
+
* - the statement ID (or index) of the denying statement.
|
|
32
|
+
*
|
|
33
|
+
* @param requestAnalysis the request analysis
|
|
34
|
+
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
35
|
+
*/
|
|
36
|
+
export declare function getDenialReasons(requestAnalysis: RequestAnalysis): RequestDenial[];
|
|
37
|
+
//# sourceMappingURL=analyzeResults.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzeResults.d.ts","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,eAAe,EAGhB,MAAM,gBAAgB,CAAA;AAEvB;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,eAAe,EAAE,eAAe,GAAG,OAAO,CAOrF;AAED,MAAM,MAAM,gBAAgB,GACxB,UAAU,GACV,UAAU,GACV,KAAK,GACL,KAAK,GACL,oBAAoB,GACpB,gBAAgB,CAAA;AAEpB,MAAM,MAAM,aAAa,GACrB;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,GACD;IACE,UAAU,EAAE,gBAAgB,CAAA;IAC5B,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,WAAW,EAAE,MAAM,CAAA;IACnB,UAAU,EAAE,UAAU,CAAA;CACvB,CAAA;AAEL;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,gBAAgB,CAAC,eAAe,EAAE,eAAe,GAAG,aAAa,EAAE,CAiBlF"}
|
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Analyze a RequestAnalysis to see if the request was allowed by identity policies.
|
|
3
|
+
*
|
|
4
|
+
* @param requestAnalysis the request analysis
|
|
5
|
+
* @returns true if the request was allowed by identity policies, false otherwise
|
|
6
|
+
*/
|
|
7
|
+
export function isAllowedByIdentityPolicies(requestAnalysis) {
|
|
8
|
+
const identityAnalysis = requestAnalysis.identityAnalysis;
|
|
9
|
+
if (!identityAnalysis) {
|
|
10
|
+
return false;
|
|
11
|
+
}
|
|
12
|
+
return identityAnalysis.result === 'Allowed';
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Find the policy statements that caused a request to be denied.
|
|
16
|
+
* Analyzes the RequestAnalysis and returns the specific reasons why the request was denied.
|
|
17
|
+
*
|
|
18
|
+
* For an implicit denial, it returns:
|
|
19
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
20
|
+
* - the identifier, if applicable for an Organizational Unit identifier for SCPs.
|
|
21
|
+
*
|
|
22
|
+
* For an explicit denial, it returns:
|
|
23
|
+
* - the policy type (identity, resource, scp, rcp, permission boundary, endpoint policy)
|
|
24
|
+
* - the policy identifier, if applicable for a managed policy or an SCP
|
|
25
|
+
* - the statement ID (or index) of the denying statement.
|
|
26
|
+
*
|
|
27
|
+
* @param requestAnalysis the request analysis
|
|
28
|
+
* @returns a list of RequestDenial objects describing the reasons for denial
|
|
29
|
+
*/
|
|
30
|
+
export function getDenialReasons(requestAnalysis) {
|
|
31
|
+
const denials = [];
|
|
32
|
+
const overallResult = requestAnalysis.result;
|
|
33
|
+
addSimplePolicyDenials(requestAnalysis.identityAnalysis, 'identity', overallResult, denials);
|
|
34
|
+
addSimplePolicyDenials(requestAnalysis.resourceAnalysis, 'resource', overallResult, denials);
|
|
35
|
+
addOuPolicyDenials(requestAnalysis.scpAnalysis, 'scp', overallResult, denials);
|
|
36
|
+
addOuPolicyDenials(requestAnalysis.rcpAnalysis, 'rcp', overallResult, denials);
|
|
37
|
+
addSimplePolicyDenials(requestAnalysis.permissionBoundaryAnalysis, 'permissionBoundary', overallResult, denials);
|
|
38
|
+
addSimplePolicyDenials(requestAnalysis.endpointAnalysis, 'endpointPolicy', overallResult, denials);
|
|
39
|
+
return denials;
|
|
40
|
+
}
|
|
41
|
+
/**
|
|
42
|
+
* Helper for identity-style policies (identity, resource, permissionBoundary, endpoint).
|
|
43
|
+
* Adds denial reasons from a simple policy analysis.
|
|
44
|
+
*/
|
|
45
|
+
function addSimplePolicyDenials(analysis, policyType, overallResult, denials) {
|
|
46
|
+
if (!analysis)
|
|
47
|
+
return;
|
|
48
|
+
if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
|
|
49
|
+
denials.push({ policyType, denialType: 'Implicit' });
|
|
50
|
+
}
|
|
51
|
+
else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
|
|
52
|
+
for (const stmt of analysis.denyStatements) {
|
|
53
|
+
denials.push({
|
|
54
|
+
policyType,
|
|
55
|
+
policyIdentifier: stmt.policyId,
|
|
56
|
+
statementId: stmt.statement.sid() || stmt.statement.index().toString(),
|
|
57
|
+
denialType: 'Explicit'
|
|
58
|
+
});
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Helper for OU-based policies (scp, rcp).
|
|
64
|
+
* Adds denial reasons from an organizational policy analysis.
|
|
65
|
+
*/
|
|
66
|
+
function addOuPolicyDenials(analysis, policyType, overallResult, denials) {
|
|
67
|
+
if (!analysis)
|
|
68
|
+
return;
|
|
69
|
+
if (analysis.result === 'ImplicitlyDenied' && overallResult === 'ImplicitlyDenied') {
|
|
70
|
+
for (const ou of analysis.ouAnalysis) {
|
|
71
|
+
if (ou.result === 'ImplicitlyDenied') {
|
|
72
|
+
denials.push({ policyType, identifier: ou.orgIdentifier, denialType: 'Implicit' });
|
|
73
|
+
}
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
else if (analysis.result === 'ExplicitlyDenied' && overallResult === 'ExplicitlyDenied') {
|
|
77
|
+
for (const ou of analysis.ouAnalysis) {
|
|
78
|
+
if (ou.result === 'ExplicitlyDenied') {
|
|
79
|
+
for (const stmt of ou.denyStatements) {
|
|
80
|
+
denials.push({
|
|
81
|
+
policyType,
|
|
82
|
+
policyIdentifier: stmt.policyId,
|
|
83
|
+
statementId: stmt.statement.sid() || stmt.statement.index().toString(),
|
|
84
|
+
denialType: 'Explicit'
|
|
85
|
+
});
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
//# sourceMappingURL=analyzeResults.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzeResults.js","sourceRoot":"","sources":["../../../src/analysis/analyzeResults.ts"],"names":[],"mappings":"AASA;;;;;GAKG;AACH,MAAM,UAAU,2BAA2B,CAAC,eAAgC;IAC1E,MAAM,gBAAgB,GAAG,eAAe,CAAC,gBAAgB,CAAA;IACzD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,gBAAgB,CAAC,MAAM,KAAK,SAAS,CAAA;AAC9C,CAAC;AAuBD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,gBAAgB,CAAC,eAAgC;IAC/D,MAAM,OAAO,GAAoB,EAAE,CAAA;IACnC,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAA;IAE5C,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,UAAU,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC5F,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,kBAAkB,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAC9E,sBAAsB,CACpB,eAAe,CAAC,0BAA0B,EAC1C,oBAAoB,EACpB,aAAa,EACb,OAAO,CACR,CAAA;IACD,sBAAsB,CAAC,eAAe,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,aAAa,EAAE,OAAO,CAAC,CAAA;IAElG,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAC7B,QAAyD,EACzD,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;IACtD,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC;gBACX,UAAU;gBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;gBACtE,UAAU,EAAE,UAAU;aACvB,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,kBAAkB,CACzB,QAA+C,EAC/C,UAA4B,EAC5B,aAA+B,EAC/B,OAAwB;IAExB,IAAI,CAAC,QAAQ;QAAE,OAAM;IAErB,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QACnF,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,OAAO,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,CAAC,aAAa,EAAE,UAAU,EAAE,UAAU,EAAE,CAAC,CAAA;YACpF,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,kBAAkB,IAAI,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAC1F,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACrC,IAAI,EAAE,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;gBACrC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;oBACrC,OAAO,CAAC,IAAI,CAAC;wBACX,UAAU;wBACV,gBAAgB,EAAE,IAAI,CAAC,QAAQ;wBAC/B,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;wBACtE,UAAU,EAAE,UAAU;qBACvB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -1,8 +1,9 @@
|
|
|
1
|
+
export { getDenialReasons, type DenialPolicyType, type RequestDenial } from './analysis/analyzeResults.js';
|
|
1
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
2
3
|
export { BaseConditionKeyType, isConditionKeyArray, type ConditionKeyType } from './context_keys/contextKeyTypes.js';
|
|
3
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
|
4
5
|
export type { SimulationMode } from './core_engine/CoreSimulatorEngine.js';
|
|
5
|
-
export type { EvaluationResult, IgnoredCondition, IgnoredConditions } from './evaluate.js';
|
|
6
|
+
export type { EvaluationResult, IgnoredCondition, IgnoredConditions, RequestAnalysis } from './evaluate.js';
|
|
6
7
|
export type { ActionExplain, ConditionExplain, ConditionValueExplain, ExplainPrincipalMatch, PrincipalExplain, ResourceExplain, StatementExplain } from './explain/statementExplain.js';
|
|
7
8
|
export { allowedContextKeysForRequest } from './simulation_engine/contextKeys.js';
|
|
8
9
|
export type { Simulation, SimulationIdentityPolicy, SimulationOrgPolicies } from './simulation_engine/simulation.js';
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,KAAK,gBAAgB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,sCAAsC,CAAA;AAC1E,YAAY,EACV,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,eAAe,EAChB,MAAM,eAAe,CAAA;AACtB,YAAY,EACV,aAAa,EACb,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,EAChB,eAAe,EACf,gBAAgB,EACjB,MAAM,+BAA+B,CAAA;AACtC,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AACjF,YAAY,EACV,UAAU,EACV,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AACvE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,yCAAyC,CAAA;AACjG,YAAY,EAAE,iBAAiB,EAAE,MAAM,0CAA0C,CAAA;AACjF,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|
package/dist/esm/index.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
export { getDenialReasons } from './analysis/analyzeResults.js';
|
|
1
2
|
export { typeForContextKey } from './context_keys/contextKeys.js';
|
|
2
3
|
export { isConditionKeyArray } from './context_keys/contextKeyTypes.js';
|
|
3
4
|
export { findContextKeys } from './context_keys/findContextKeys.js';
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EAEL,mBAAmB,EAEpB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,gBAAgB,EAGjB,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAA;AACjE,OAAO,EAEL,mBAAmB,EAEpB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,mCAAmC,CAAA;AAiBnE,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAA;AAMjF,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAA;AAGvE,OAAO,EAAE,mBAAmB,EAAE,MAAM,+CAA+C,CAAA;AACnF,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAA"}
|